Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Foreman and Active Directory integration (Kerberos Single Sign-On)

This script installs and configures Foreman with Active Directory integration

What the script does:

  • Configures Active Directory as its name resolver
  • Using sssd and realmd the rhel server joins the AD domain (DNS record, computer account, host SPN created in the AD)
  • Using samba, HTTP spn is created in AD and a keytab that contains the HTTP principal
  • Foreman is installed with IPA/AD support, SSO is configured

Sources

Notes:

  • The script should be converted to Ansible Playbook
  • Because of a bug (bugzilla 1271618) realm join has to run with --membership-software=samba
yum -y install https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm; \
yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm; \
yum -y install https://yum.theforeman.org/releases/1.15/el7/x86_64/foreman-release.rpm; \
yum -y install foreman-release-scl; \
yum -y install foreman-installer; \
nmcli con mod ens33 ipv4.dns "192.168.227.147,192.168.227.2"; \
nmcli con mod ens33 ipv4.dns-search "test.local"; \
nmcli general hostname foreman1; \
systemctl restart systemd-hostnamed; \
systemctl restart network; \
systemctl stop firewalld; \
systemctl disable firewalld; \
yum -y install gssproxy sssd adcli realmd samba-common-tools ipa-python; \
echo password | realm join -v test.local --membership-software=samba; \
echo '[global]
   server = unused
   realm = TEST.LOCAL' | tee /etc/ipa/default.conf; \
echo '[global]
   workgroup = TEST
   realm = TEST.LOCAL
   kerberos method = system keytab
   security = ads' | tee /etc/net-keytab.conf; \
KRB5_KTNAME=FILE:/etc/gssproxy/http.keytab net ads keytab add HTTP -U Administrator%password -d3 -s /etc/net-keytab.conf; \
chown root:root /etc/gssproxy/http.keytab; \
sed  -i '1i includedir /var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf; \
mkdir -p /etc/httpd/conf/; \
touch /etc/httpd/conf/http.keytab; \
foreman-installer --foreman-proxy-dhcp=false --foreman-proxy-tftp=false --foreman-ipa-authentication=true; \
echo '.include /usr/lib/systemd/system/gssproxy.service
[Service]
Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache' | tee /etc/systemd/system/gssproxy.service; \
systemctl daemon-reload; \
systemctl restart gssproxy.service; \
systemctl enable gssproxy.service; \
echo '.include /lib/systemd/system/httpd.service
[Service]
Environment=GSS_USE_PROXY=1' | tee /etc/systemd/system/httpd.service; \
systemctl daemon-reload; \
systemctl restart httpd.service;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment